pcap-did-what: Analyze pcaps with Zeek and a Grafana Dashboard

Zeek & Grafana Integration for Network Monitoring

This repository provides a quick way to get started using Zeek with a practical use case. The focus is to analyse a network pcap and enable easy visual analysis using Grafana Charts.
The mini project consists of three parts.

1. Custom Zeek Docker build that generates zeek log files with GeoIP, ASN and JA3 / JA4 fingerprints.

2. Python Script to convert zeek log files to an SQLite database.

3. Custom Grafana Docker build with a pre-configured dashboard for analysing Zeek Data.

Keeping this project simple and broken up into three parts should help both Zeek newcomers and those with more experience get up and running quickly. Working from these base images it would be an easy task to add other packages, and extend the dashboard to suit your own environment or use case.

Overview

The project is structured to use Docker containers for easy setup and portability. It includes a customized Zeek container for log generation and a Grafana container for data visualization.

File Structure

• Dockerfile: Located at ./pcap-did-what/zeek-docker/Dockerfile, this file creates a Docker container based on the official Zeek image. It includes the installation of necessary packages for JA3 / JA4 fingerprinting and GeoIP, with a custom script for ASN enrichment.
• local_asn.zeek: ./pcap-did-what/zeek-docker/local_asn.zeek, a small zeek script to add ASN information to the conn.log. The script uses the builtin zeek function (lookup_autonomous_system).
• docker-compose.yml: Found in ./pcap-did-what/grafana-docker/docker-compose.yml, this Docker Compose file sets up the Grafana container, configuring it to use a custom SQLite datasource and including volumes for persistent storage and configuration.
• dashboard.yml: Located at ./pcap-did-what/grafana-docker/dashboards/dashboard.yml, this configuration file specifies the dashboard provider settings for Grafana.
• datasource.yml: Found in ./pcap-did-what/grafana-docker/datasources/datasource.yml, this file configures Grafana to use an SQLite database as the data source, pointing to the Zeek logs stored in SQLite format.
• GeoLite2-ASN.mmdb: Place in ./pcap-did-what/zeek-docker/ – required file needed to be downloaded from MaxMind.
• GeoLite2-City.mmdb: Another required file from MaxMind. Register Free and Download file to zeek-docker.

Install & Use

Copyright (c) Hacker Target Pty Ltd.